Last updated: 7 December 2015

 

European Court of Justice Safe Harbour Ruling—FAQs

 

On 6 October, 2015, the European Court of Justice (ECJ) issued its decision in the case of Maximillian Schrems v. Data Protection Commissioner, finding that the US-EU Safe Harbour Framework is invalid with immediate effect. The suspension of Safe Harbour affects many companies that need to transfer personal data from the European Union (EU) and the European Economic Area (EEA) to the United States and to other non-EU/EEA countries. Adobe has evaluated various options that will allow for the transfer of personal data from the EU/EEA to non-EU/EEA countries. Like many companies, Adobe has decided to authorise these personal data transfers using European Commission-approved Standard Contractual Clauses (also referred to as Model Contracts).

 
What did the European Court of Justice decide regarding the validity of the US-EU Safe Harbour Framework?

On 6 October, 2015, the European Court of Justice (ECJ) ruled that the 15-year-old Safe Harbour Framework between the US and the EU that provided a legal basis for the transfer of personal data from the EU/EEA to the United States was invalid with immediate effect. At the time of the court decision, approximately 4,500 US companies were certified, including many companies in the high technology sector. For more information on the Safe Harbour Framework, visit the US Department of Commerce’s website.

 
What is the US-EU Safe Harbour Framework?

The US-EU Safe Harbour Framework was established in 2000 by the US Department of Commerce in consultation with the European Commission to bridge the differences in approaches to privacy between the US and the EU and provide a streamlined process for the transfer of personal data from the EU/EEA to the US Under Safe Harbour, eligible US companies processing personal data collected in the EU/EEA could opt into the Safe Harbour programme by self-certifying their adherence to the seven Safe Harbour principles and 15 frequently asked questions. These were designed to assist eligible organisations to comply with the EU Directive 95/46/EC on the protection of personal data and maintain the privacy and integrity of that data.

 
What do EU and EEA stand for?

The European Union (EU) is an economic and political partnership between 28 European countries that together cover much of the European continent. The European Economic Area (EEA) unites the EU Member States and the three EEA European Free Trade Association (EFTA) States (Iceland, Liechtenstein and Norway) into an internal market governed by the same basic rules. These rules aim to enable goods, services, capital and people to move freely about the EEA in an open and competitive environment, a concept referred to as the four freedoms.

 
What does the Safe Harbour ruling by the European Court of Justice mean when it comes to the transfer of data from the EU/EEA to the US?

If an US company was certified under Safe Harbour, it is now required to find another approved method for transferring personal data from the EU/EEA to the US

 
What is Adobe doing in regards to the decision by the European Court of Justice to invalidate the US-EU Safe Harbour Framework?

Adobe has evaluated various options that will allow for the transfer of personal data from the EU/EEA to a non-EU/EEA country, such as the US

Adobe has prepared a new Data Processing Agreement (DPA) for our enterprise customers, which includes Standard Contractual Clauses (SCCs), also referred to as Model Contracts. These SCCs provide a mechanism approved by the European Commission as offering adequate protection for data subjects when transferring personal data from the EU/EEA under the EU Data Protection Directive. If you are an Adobe enterprise customer transferring personal data in connection with Adobe cloud services from the EU/EEA to the US, please click here to request the new Data Processing Agreement and Standard Contractual Clauses.

 
What are Standard Contractual Clauses/Model Contracts?

Standard Contractual Clauses (SCCs), otherwise known as Model Contracts, are contract terms that have been approved by the European Commission (EC) as ensuring adequate protection for data subjects in accordance with the EU Data Protection Directive 95/46/EC when transferring personal data from the EU/EEA to non-EU/EEA countries, including to the US

 
How does the decision to invalidate Safe Harbour affect my company’s use of Adobe products?

Prior to the decision by the European Court of Justice (ECJ), Adobe relied primarily on its certification to the Safe Harbour Framework to ensure adequate protection for the transfer of personal data from the EU/EEA to the US Following the ECJ’s decision, Adobe has decided to authorise these personal data transfers using European Commission-approved Standard Contractual Clauses (also referred to as Model Contracts).

Adobe has prepared a new Data Processing Agreement (DPA) for our enterprise customers, which includes the Standard Contractual Clauses (SCCs) to provide a mechanism approved by the European Commission as offering adequate protection for data subjects when transferring personal data from the EU/EEA under the EU Data Protection Directive. If you are an Adobe enterprise customer transferring personal data in connection with Adobe cloud services from the EU/EEA to the US, please click here to request the new Data Processing Agreement and Standard Contractual Clauses.

 
As an Adobe customer, can I request that all of the personal data processed by Adobe be stored on Adobe’s servers in the EU/EEA?

While Adobe does have data centres located in the EU/EEA that can be used by some of our products and services, our cloud services may still require data to be transferred to the United States to provide some features. In addition, Adobe personnel may need access to data stored in the EU/EEA from a non-EU/EEA country to provide support services. Under EU law, any access to data residing in the EU/EEA by anyone located in a non-EU/EEA country triggers the rules of transfer to a non-EU/EEA country. As such, an agreement that includes the Standard Contractual Clauses (SCCs) may still be required even if your data is stored in the EU/EEA.

 
What if I have additional questions?

Enterprise customers may contact their Adobe sales representative with additional questions.


Adobe Safe Harbour Privacy Policy

 

Last updated: 18 June 2014

 

Adobe Inc. (our US company) has certified to US–E.U. Safe Harbour Framework and the US–Swiss Safe Harbour Framework as set forth by the US Department of Commerce regarding the collection, use and retention of personal data from our subsidiaries, corporate customers and other business partners in the European Union member countries and Switzerland. To learn more about the Safe Harbour programme and to view the certification for Adobe Inc., visit http://www.export.gov/safeharbor.

This Adobe Safe Harbour Privacy Policy describes how we handle personal information (1) collected by Adobe subsidiaries, our corporate customers and other business partners located in the European Economic Area (the EEA) and Switzerland, which is then transferred to Adobe Inc. in the United States; and (2) received from companies that use one of Adobe’s hosted services (learn more) who operate in the EEA and Switzerland and processed by Adobe Inc. in the United States on behalf of the company. This Safe Harbour Privacy Policy supplements the Adobe Privacy Policy.

 

Information collected by Adobe subsidiaries, corporate customers and business partners

 

Personal information

Adobe Inc. may receive personal information from Adobe subsidiaries (see list of Adobe entities and our acquired companies), our corporate customers and other business partners in the EEA and Switzerland, such as name, email address, company name, title, postal address, telephone number and preferences regarding our applications and websites. Any personal information sent to us may be used by Adobe Inc. and its subsidiaries and their agents and business partners for the purposes described at the time the information was collected. If you agree to receive email or telephone marketing from us, personal information we receive will also be used for those purposes, as described in the Adobe Privacy Policy. If we plan to use personal information for a purpose that is incompatible with these purposes or if we plan to disclose personal information to a kind of company not described here, we will seek your consent to such uses or disclosures.

 

Agents and service providers

Adobe Inc. works with several companies to help us to deliver our services to you on our behalf. These companies provide services such as offering customer support, processing credit card payments and sending emails on our behalf. In some cases, these companies will have access to some of your personal information in order to provide services to you on our behalf. They are not permitted to use your information for their own purposes. Adobe Inc. requires that its agents and service providers that have access to personal information received by Adobe Inc. from the EU or Switzerland subscribe to the Safe Harbour Privacy Principles, be subject to the EU Privacy Directive or another adequacy finding or enter into a written agreement that requires them to provide at least the same level of privacy protection as is required by the relevant Safe Harbour Principles.

 

Security

Adobe Inc. uses reasonable physical, electronic and administrative safeguards to protect your personal information from loss; misuse; or unauthorised access, disclosure, alteration or destruction.

 

Data integrity

Adobe Inc. takes reasonable steps to ensure that your personal information we process is accurate, complete and current by using the most recent information provided to us.

 

Accessing and updating your information

You can request to review, update or delete your personal information.

 

Information processed by Adobe on behalf of a company using an Adobe hosted service

Adobe Inc. provides hosted services to companies (learn more). As part of providing these hosted services, Adobe Inc. may receive and process your personal information if you are a customer of one of these companies. When Adobe Inc. provides these services, we are referred to as a data processor. As a data processor, Adobe Inc. acts on the instructions of these companies and uses reasonable physical, electronic and administrative safeguards to protect this personal information from loss; misuse; or unauthorised access, disclosure, alteration or destruction. Companies that use an Adobe hosted service are responsible for complying with all other obligations in relation to the personal information they may collect from you.

 

Questions or concerns

If you have any complaints regarding our compliance with the Safe Harbour programme, you should first contact us. If the complaint cannot be resolved through our internal dispute resolution process, you may submit your complaint to JAMS for mediation under the JAMS International Mediation Rules, which are accessible on the JAMS website at www.jamsadr.com.

 

Changes or updates

This policy may be changed from time to time as permitted under the Safe Harbour programme. Learn more.